Do not show email during registation if user has no permission

Closes #37899 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2026-01-10 15:32:05 -03:30 · 2025-05-09 04:11:35 -03:00 · 2025-05-09 04:11:35 -03:00 · 4973de6314
commit 4973de6314
parent 953ba04018
2 changed files with 80 additions and 6 deletions
--- a/server-spi-private/src/main/java/org/keycloak/userprofile/DefaultAttributes.java
+++ b/server-spi-private/src/main/java/org/keycloak/userprofile/DefaultAttributes.java
@ -111,7 +111,11 @@ public class DefaultAttributes extends HashMap<String, List<String>> implements
    private boolean isReadableOrWritableDuringRegistration(String name) {
        if (context.equals(UserProfileContext.REGISTRATION) && isRequired(name)) {
            // in context of registration, username or email (email as username) cannot be readonly otherwise registration is not possible
-            return UserModel.EMAIL.equals(name) || UserModel.USERNAME.equals(name);
+            if (UserModel.EMAIL.equals(name)) {
+                RealmModel realm = session.getContext().getRealm();
+                return realm.isRegistrationEmailAsUsername();
+            }
+            return UserModel.USERNAME.equals(name);
        }
        return false;
    }
@ -295,12 +299,14 @@ public class DefaultAttributes extends HashMap<String, List<String>> implements
                continue;
            }

-            if (!isReadableOrWritableDuringRegistration(name)) {
-                AttributeContext attributeContext = createAttributeContext(metadata);
+            if (isReadableOrWritableDuringRegistration(name)) {
+                continue;
+            }

-                if (!metadata.canView(attributeContext) || !metadata.isSelected(attributeContext)) {
-                    attributes.remove(name);
-                }
+            AttributeContext attributeContext = createAttributeContext(metadata);
+
+            if (!metadata.canView(attributeContext) || !metadata.isSelected(attributeContext)) {
+                attributes.remove(name);
            }
        }

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterWithUserProfileTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterWithUserProfileTest.java
@ -22,6 +22,9 @@ import static org.hamcrest.Matchers.anyOf;
 import static org.hamcrest.Matchers.containsString;
 import static org.junit.Assert.assertEquals;

+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.keycloak.testsuite.util.userprofile.UserProfileUtil.PERMISSIONS_ADMIN_ONLY;
 import static org.keycloak.testsuite.util.userprofile.UserProfileUtil.PERMISSIONS_ALL;
 import static org.keycloak.testsuite.util.userprofile.UserProfileUtil.PERMISSIONS_ADMIN_EDITABLE;
 import static org.keycloak.testsuite.util.userprofile.UserProfileUtil.SCOPE_DEPARTMENT;
@ -622,6 +625,71 @@ public class RegisterWithUserProfileTest extends AbstractTestRealmKeycloakTest {
        ));
    }

+    @Test
+    public void testEmailNotWritable() {
+        setUserProfileConfiguration("{\"attributes\": ["
+                + "{\"name\": \"firstName\"," + PERMISSIONS_ALL + ", \"required\": {}},"
+                + "{\"name\": \"lastName\"," + PERMISSIONS_ALL + ", \"required\": {}},"
+                + "{\"name\": \"email\"," + PERMISSIONS_ADMIN_ONLY + ", \"required\": {\"roles\" : [\"user\"]}}"
+                + "]}");
+
+        loginPage.open();
+        loginPage.clickRegister();
+        registerPage.assertCurrent();
+
+        assertFalse(registerPage.isEmailPresent());
+
+        registerPage.register("firstName", "lastName", null, "myusername", generatePassword());
+
+        assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
+    }
+
+    @Test
+    public void testEmailNotShownIfReadOnly() {
+        setUserProfileConfiguration("{\"attributes\": ["
+                + "{\"name\": \"firstName\"," + PERMISSIONS_ALL + ", \"required\": {}},"
+                + "{\"name\": \"lastName\"," + PERMISSIONS_ALL + ", \"required\": {}},"
+                + "{\"name\": \"email\"," + PERMISSIONS_ADMIN_EDITABLE + ", \"required\": {\"roles\" : [\"user\"]}}"
+                + "]}");
+
+        loginPage.open();
+        loginPage.clickRegister();
+        registerPage.assertCurrent();
+
+        assertFalse(registerPage.isEmailPresent());
+
+        registerPage.register("firstName", "lastName", null, "myusername1", generatePassword());
+
+        assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
+    }
+
+    @Test
+    public void testEmailNotAllowedButEmailAsUsername() {
+        RealmRepresentation realm = testRealm().toRepresentation();
+        realm.setRegistrationEmailAsUsername(true);
+        testRealm().update(realm);
+        getCleanup().addCleanup(() -> {
+            realm.setRegistrationEmailAsUsername(false);
+            testRealm().update(realm);
+        });
+        setUserProfileConfiguration("{\"attributes\": ["
+                + "{\"name\": \"firstName\"," + PERMISSIONS_ALL + ", \"required\": {}},"
+                + "{\"name\": \"lastName\"," + PERMISSIONS_ALL + ", \"required\": {}},"
+                + "{\"name\": \"email\"," + PERMISSIONS_ADMIN_EDITABLE + ", \"required\": {\"roles\" : [\"user\"]}}"
+                + "]}");
+
+        loginPage.open();
+        loginPage.clickRegister();
+        registerPage.assertCurrent();
+
+        assertFalse(registerPage.isUsernamePresent());
+        assertTrue(registerPage.isEmailPresent());
+
+        registerPage.registerWithEmailAsUsername("firstName", "lastName", "myusername1@keycloak.org", generatePassword());
+
+        assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
+    }
+
    private void assertUserRegistered(String userId, String username, String email, String firstName, String lastName) {
        events.expectLogin().detail("username", username.toLowerCase()).user(userId).assertEvent();